Post permalink

Since you mentioned this, I want to bring up another more serious "daisy chaining" issue - password recovery question.

You see... there's a lot of website providing similar question sets for user to recover their passwords. But AFAIK, while most of the companies stores passwords in encrypted form, more than a dozen of them I know of stores answers to such question in plain text. (So their CS staffs can read them and confirm customer identity on phone).

Remember the 2 big password database leaks earlier this year? What happens if the hackers target these questions instead of these (supposed) difficult to recover passwords?

What's worse? A lot of these companies happens to store the password recovery email address in plain text too! That means if you use similar password recovery questions in the email service you use to receive recovery password, the hacker would know what "question and answer" to use for breaking in that email account.

If you happens to be a developer maintaining such systems, please be sure to at least do some basic two-way encryption to them, or in one of the next waves of network attacks your company would have embarrassing moment. Thank you for your attention.